[{"data":1,"prerenderedAt":196},["ShallowReactive",2],{"publication-daily-threat-publications-2026-04-06":3},{"pub_id":4,"headline":5,"summary":6,"pub_date":7,"total_articles":8,"articles":9},"pub-2026-04-06","Fortinet Zero-Day Exploited, Medusa Ransomware Weaponizes Flaws in Hours, and AI Phishing Bypasses MFA","This 24-hour period ending April 6, 2026, is marked by urgent threats, including the active exploitation of a critical Fortinet zero-day (CVE-2026-35616) and a new Windows LPE zero-day leak. Microsoft reports the Medusa ransomware group is now weaponizing vulnerabilities within 24 hours of disclosure, while a separate AI-powered phishing campaign compromises hundreds of M365 organizations daily by abusing the device code flow. Other major incidents include a critical Cisco IMC flaw, an Iranian password-spraying campaign in the Middle East, and a cyberattack on toy giant Hasbro.","2026-04-06",10,[10,33,55,79,97,115,132,150,165,182],{"id":11,"slug":12,"headline":13,"title":14,"severity":15,"excerpt":16,"tags":17,"categories":24,"createdAt":27,"updatedAt":28,"readingTime":29,"isUpdate":30,"updateSummary":31,"updateContent":32},"984670b1-dc0f-41e8-80a3-0c32484952cb","79-percent-it-leaders-view-ai-powered-attacks-as-significant-threat","AI-Powered Attacks Now a Top Concern for 79% of IT Leaders, Armis Report Finds","Armis Report: Nearly 8 in 10 IT Leaders View AI-Powered Attacks as a Major Threat","informational","According to the fourth annual 'State of Cyberwarfare Report' by Armis, 79% of global IT decision-makers now consider artificial intelligence a significant security threat. The report, which surveyed 1,900 IT leaders, highlights a new phase of cyber conflict where AI is being weaponized by attackers to automate reconnaissance, vulnerability discovery, and lateral movement. Experts warn that AI compresses the 'critical risk window' between vulnerability discovery and exploitation, outpacing the response capabilities of many security teams. In response, 49% of security leaders are making AI and automation their top investment priority for 2026 to keep pace with these accelerated threats.",[18,19,20,21,22,23],"AI","Artificial Intelligence","Cyberwarfare","Threat Landscape","Armis","Security Report",[25,26],"Threat Intelligence","Policy and Compliance","2026-03-18T15:00:00.000Z","2026-04-06T00:00:00.000Z",3,true,"Microsoft warns of Storm-1175 Medusa ransomware group exploiting N-day/zero-day flaws for deployment within 24-48 hours, demonstrating accelerated attack timelines.","Microsoft research details Storm-1175, a Medusa ransomware group, capable of exploiting newly disclosed N-day and zero-day vulnerabilities to achieve full ransomware deployment in 24-48 hours. This high-velocity operation targets web-facing assets across healthcare and education, using legitimate remote management tools. The group's rapid attack cycle exemplifies the shrinking 'critical risk window' between vulnerability disclosure and exploitation, underscoring the urgent need for aggressive patch management and robust attack surface monitoring to counter these accelerated threats.",{"id":34,"slug":35,"headline":36,"title":37,"severity":38,"excerpt":39,"tags":40,"categories":47,"createdAt":50,"updatedAt":51,"readingTime":52,"isUpdate":30,"updateSummary":53,"updateContent":54},"0736d0d9-2efe-45c1-9d7e-fba36cc0ac69","threat-actors-exploit-tax-season-with-diverse-phishing-and-malware-campaigns","Cybercriminals Exploit Tax Season with Over 100 Unique Phishing and Malware Campaigns","Threat Actors Ramp Up Tax-Themed Attacks with Phishing, BEC, and RMM Tool Deployment","high","As tax season intensifies, a surge of over one hundred distinct cyber campaigns are exploiting the urgency of filing deadlines, according to a report from Proofpoint. Threat actors are using a variety of tax-themed lures, such as fake W-8BEN, W-2, and W-9 forms, to conduct credential phishing, Business Email Compromise (BEC), and malware distribution. A notable trend is the use of these phishing emails to trick victims into installing legitimate Remote Monitoring and Management (RMM) tools, which provides attackers with persistent access to compromised systems. Campaigns have been observed globally, with a newly identified actor, TA2730, focusing on targets in Asia.",[41,42,43,44,45,46],"Phishing","Tax Season","BEC","RMM","Social Engineering","Credential Theft",[41,48,49],"Malware","Threat Actor","2026-03-31T15:00:00.000Z","2026-04-06T12:00:00.000Z",6,"Tax season scam update: specific RMM tools (N-able, Datto) identified as RATs. Detailed W-2 BEC tactics and severe organizational impacts, including fines and lawsuits, are highlighted.","New analysis of tax season phishing campaigns reveals specific Remote Monitoring and Management (RMM) tools, such as N-able and Datto, are being leveraged as Remote Access Trojans (RATs). The update also provides a more detailed breakdown of W-2 Business Email Compromise (BEC) scam tactics, including impersonation of the IRS and executives. It further clarifies the severe organizational impacts of these W-2 breaches, which can lead to massive data breaches, regulatory fines, reputational damage, and class-action lawsuits. Detection and mitigation strategies are reinforced, emphasizing employee training and application control.",{"id":56,"slug":57,"headline":58,"title":59,"severity":60,"excerpt":61,"tags":62,"categories":71,"createdAt":73,"updatedAt":28,"readingTime":74,"cves":75,"cvssScore":76,"isUpdate":30,"updateSummary":77,"updateContent":78},"329444bd-a394-4d09-898b-e896cdfb86ba","critical-f5-big-ip-vulnerability-cve-2025-53521-reclassified-and-exploited","F5 BIG-IP Flaw Escalated to Critical 9.8 RCE, Now Under Active Attack","F5 Reclassifies 5-Month-Old BIG-IP Vulnerability (CVE-2025-53521) to Critical RCE, CISA Confirms Active Exploitation","critical","F5 has urgently reclassified a vulnerability in its BIG-IP Access Policy Manager (APM), CVE-2025-53521, from a medium-severity Denial-of-Service (DoS) flaw to a critical 9.8 CVSS unauthenticated Remote Code Execution (RCE) vulnerability. Originally disclosed in October 2025, F5 updated its advisory on March 28, 2026, after discovering it could be exploited for full system compromise. The vulnerability is now under active attack in the wild, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog. Attackers can send crafted traffic to a virtual server with an APM policy to gain root access. F5 urges customers to apply the patches released in October 2025, which are confirmed to mitigate this severe RCE vector.",[63,64,65,66,67,68,69,70],"CVE-2025-53521","F5","BIG-IP","RCE","Vulnerability","CISA","KEV","Patch Management",[67,70,72],"Cyberattack","2026-04-01T15:00:00.000Z",5,[63],9.8,"New Indicators of Compromise (IOCs) for the F5 BIG-IP RCE (CVE-2025-53521) have been released, alongside updated figures showing over 14,000 exposed systems.","F5 has released additional Indicators of Compromise (IOCs) for the actively exploited BIG-IP RCE (CVE-2025-53521). New detection methods include monitoring `/var/log/apm` for SELinux disable entries, `/var/log/auditd` for process ID 0, and `/tmp/` for suspicious files. Scans reveal over 14,000 BIG-IP systems remain exposed online, highlighting the urgent need for patching. This update underscores the importance of reviewing patch prioritization policies, as initial lower severity ratings can quickly escalate to critical, actively exploited threats.",{"id":80,"slug":81,"headline":82,"title":83,"severity":38,"excerpt":84,"tags":85,"categories":91,"createdAt":94,"updatedAt":51,"readingTime":52,"isUpdate":30,"updateSummary":95,"updateContent":96},"cff92fdc-4d32-463b-9981-c518e9223baf","toy-giant-hasbro-hit-by-cyberattack-recovery-to-take-weeks","Toy Giant Hasbro Hit by Cyberattack, Recovery to Take Weeks","Hasbro Confirms Cyberattack Causing Significant Disruption, Recovery Expected to Take Weeks","The global toy and entertainment company Hasbro, Inc. has confirmed it was the victim of a cyberattack. The incident, detected on March 28, 2026, involved unauthorized access to its network and has caused significant operational disruption. The company immediately shut down affected systems and engaged external experts to investigate. In an SEC filing, Hasbro stated it was in its second week of limited operations and expects the recovery period to last several more weeks, suggesting a sophisticated intrusion with potential persistence. The specific nature of the attack, such as whether it involved ransomware or data theft, has not yet been disclosed.",[86,87,88,89,90],"cyberattack","Hasbro","data breach","incident response","SEC",[72,92,93],"Data Breach","Ransomware","2026-04-02T15:00:00.000Z","Hasbro confirms consumer-facing platforms like D&D Beyond and Hasbro Pulse were unaffected by the cyberattack, limiting direct customer impact.","New reports confirm that Hasbro's consumer-facing digital platforms, including D&D Beyond and Hasbro Pulse, were not impacted by the recent cyberattack. This clarification indicates that while internal systems are disrupted, direct customer interaction points remain operational, potentially limiting broader reputational and financial damage related to customer-facing services. The company continues to investigate the full scope of the incident and anticipates several more weeks of recovery.",{"id":98,"slug":99,"headline":100,"title":101,"severity":60,"excerpt":102,"tags":103,"categories":111,"createdAt":112,"updatedAt":51,"readingTime":74,"isUpdate":30,"updateSummary":113,"updateContent":114},"7bb31a73-2c82-4c72-988a-c7e515d861ab","unpatched-windows-zero-day-exploit-bluehammer-leaked-online","Unpatched Windows Zero-Day 'BlueHammer' Exploit Leaked, Allows SYSTEM-Level Access","Unpatched Windows Zero-Day Exploit \"BlueHammer\" Leaked Online After Disclosure Dispute","A security researcher has publicly released a proof-of-concept (PoC) exploit for an unpatched Windows zero-day vulnerability dubbed \"BlueHammer.\" The leak, which occurred after a dispute with the Microsoft Security Response Center (MSRC), exposes a local privilege escalation (LPE) flaw. The exploit allows a local attacker with limited access to gain full SYSTEM-level permissions on a compromised machine, significantly increasing the risk for Windows users as the vulnerability remains unpatched.",[104,105,106,107,108,109,110],"zero-day","LPE","privilege escalation","Windows","exploit","PoC","TOCTOU",[67,48,72],"2026-04-03T15:00:00.000Z","New technical details reveal 'BlueHammer' LPE abuses Windows Defender, VSS, and junctions to access SAM database for NTLM hash dumping.","Further analysis of the 'BlueHammer' Windows zero-day exploit reveals it's a logical flaw, not memory corruption. It chains the Windows Defender update process, Volume Shadow Copy Service (VSS), and file system junctions to gain access to locked system files, specifically the SAM database. This allows attackers to dump NTLM password hashes, enabling offline cracking or Pass-the-Hash attacks, significantly enhancing credential theft capabilities. New detection strategies focus on monitoring VSS activity and SAM file access, aligning with MITRE ATT&CK T1003.003.",{"id":116,"slug":117,"headline":118,"title":119,"severity":60,"excerpt":120,"tags":121,"categories":125,"createdAt":126,"updatedAt":28,"readingTime":127,"cves":128,"cvssScore":129,"isUpdate":30,"updateSummary":130,"updateContent":131},"37dbe14d-4359-4099-b295-61b25c00dc13","fortinet-patches-actively-exploited-forticlient-ems-zero-day-cve-2026-35616","Fortinet Scrambles to Patch Actively Exploited FortiClient EMS Zero-Day (CVE-2026-35616)","Fortinet Releases Emergency Hotfix for Critical RCE Zero-Day in FortiClient EMS, CISA Adds to KEV Catalog","Fortinet has released an emergency hotfix for a critical zero-day vulnerability, CVE-2026-35616, affecting its FortiClient Endpoint Management Server (EMS). The flaw, rated 9.1 on the CVSS scale, is an improper access control issue that allows an unauthenticated remote attacker to achieve remote code execution. Fortinet confirmed the vulnerability is being actively exploited in the wild, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities (KEV) catalog and mandate a swift patching deadline for federal agencies.",[122,123,124,66,67,68,69],"Zero-Day","Fortinet","CVE-2026-35616",[67,70,72],"2026-04-05T15:00:00.000Z",4,[124],9.1,"CVSS score updated to 9.8, nearly 2,000 FortiClient EMS instances exposed online, and new IOCs released as exploitation attempts increase.","The CVSS score for CVE-2026-35616 has been updated from 9.1 to 9.8, reflecting a higher critical impact. Analysis reveals nearly 2,000 FortiClient EMS instances are exposed online, with initial exploitation detected around March 31, 2026. Security researchers report a significant increase in scanning and exploitation attempts. New indicators of compromise (IOCs) include specific URL patterns (/api/v1/vulnerabilities), monitoring FCTDas.exe for suspicious child processes, and scrutinizing inbound connections to EMS port 8013. Organizations are urged to apply hotfixes immediately and consider network isolation for management interfaces.",{"id":133,"slug":134,"headline":135,"title":136,"severity":60,"excerpt":137,"tags":138,"categories":145,"createdAt":147,"updatedAt":147,"readingTime":74,"cves":148,"cvssScore":76,"isUpdate":149},"472531d8-b9be-4841-a4f2-9cb6260019db","critical-cisco-imc-flaw-allows-unauthenticated-admin-takeover","Critical Cisco IMC Flaw (CVE-2026-20093) Allows Full Server Takeover","Cisco Patches Critical 9.8 CVSS Flaw in IMC Firmware Allowing Unauthenticated Admin Password Reset","Cisco has patched a critical authentication bypass vulnerability, CVE-2026-20093, in its Integrated Management Controller (IMC) firmware. The flaw, rated 9.8 on the CVSS scale, allows an unauthenticated, remote attacker to reset any user's password, including the administrator's, by sending a single crafted HTTP request. A successful exploit grants complete hardware-level control over a wide range of Cisco UCS servers and appliances. Cisco has released patched firmware and advises customers to update immediately, as there are no workarounds.",[139,140,141,142,66,143,144],"Cisco","CVE-2026-20093","IMC","authentication bypass","firmware","UCS Server",[67,70,146],"Industrial Control Systems","2026-04-06T15:00:00.000Z",[140],false,{"id":151,"slug":152,"headline":153,"title":154,"severity":38,"excerpt":155,"tags":156,"categories":164,"createdAt":147,"updatedAt":147,"readingTime":74,"isUpdate":149},"5b361541-78a4-42fe-9277-6d3b03f8c6ae","qilin-ransomware-targets-german-political-party-die-linke","Qilin Ransomware Attacks German Party Die Linke, Threatens Data Leak","Qilin Ransomware Claims Attack on German Political Party \"Die Linke,\" Hinting at Political Motivation","The Russia-speaking Qilin ransomware group has claimed responsibility for a cyberattack against the German political party Die Linke. The attack, detected on March 26, prompted the party to shut down parts of its IT infrastructure. Qilin is now threatening to publish stolen internal documents and employee data on its dark web leak site. While the main membership database was not compromised, Die Linke has suggested the attack may be politically motivated and part of a broader hybrid warfare campaign, not just a random criminal act.",[157,158,159,160,161,162,163],"Qilin","ransomware","Die Linke","Germany","political party","hybrid warfare","data leak",[93,49,72],{"id":166,"slug":167,"headline":168,"title":169,"severity":38,"excerpt":170,"tags":171,"categories":181,"createdAt":147,"updatedAt":147,"readingTime":74,"isUpdate":149},"d5e9de05-1d5d-43e0-a966-33532a3c516f","north-korean-hackers-use-github-as-c2-in-south-korea-campaign","North Korean Hackers Abuse GitHub for C2 in Campaign Targeting South Korea","North Korean Actors Use GitHub as Covert C2 in LNK-Based Malware Campaign","A sophisticated, multi-stage phishing campaign attributed to North Korean state-sponsored actors is targeting organizations in South Korea. The attackers use malicious Windows shortcut (LNK) files disguised as business documents to deliver a PowerShell-based payload. A key feature of the campaign is the abuse of GitHub as a command-and-control (C2) channel, allowing the malware to exfiltrate data and receive commands by communicating with attacker-controlled repositories. This tactic helps the malicious traffic blend in with legitimate web activity, evading detection. The campaign shows links to known North Korean groups like Kimsuky and Lazarus.",[172,173,174,175,176,177,178,179,180],"North Korea","Kimsuky","Lazarus","GitHub","C2","LNK file","PowerShell","espionage","South Korea",[49,41,72],{"id":183,"slug":184,"headline":185,"title":186,"severity":60,"excerpt":187,"tags":188,"categories":194,"createdAt":147,"updatedAt":147,"readingTime":74,"cves":195,"cvssScore":76,"isUpdate":149},"95615e4e-a713-41f1-91cc-5532ea82121f","critical-rce-vulnerability-chain-in-progress-sharefile-disclosed","Critical RCE Chain in Progress ShareFile Allows Unauthenticated Takeover","Critical RCE Chain (CVE-2026-2699 & CVE-2026-2701) in Progress ShareFile Disclosed","Security researchers have publicly disclosed a critical vulnerability chain in the on-premise version of Progress ShareFile Storage Zones Controller. The chain combines an authentication bypass (CVE-2026-2699, CVSS 9.8) and a file upload flaw (CVE-2026-2701, CVSS 9.1), allowing an unauthenticated attacker to achieve remote code execution (RCE) and take over the server. Although Progress patched the flaws in March, the public disclosure of technical details increases the risk for the nearly 30,000 internet-exposed instances that remain unpatched.",[189,66,190,191,192,142,193],"Progress ShareFile","vulnerability chain","CVE-2026-2699","CVE-2026-2701","web shell",[67,72,70],[191,192],1775683849405]